Archive for August, 2009

We hadn’t the chance to be at BH USA ’09, but we’ve seen there have been several talks about mobile security; and there seems to be a solid consensus in considering this as the new frontier of security. Mobile devices nowadays support many complex interfaces and protocols: GSM/UMTS network, IP network, Bluetooth, Smart cards…; this doesn’t only mean exposing more surface to attacks than traditional computers, but also that the mix of several small, unrelated security flaws could result in a much bigger one.Black Hat USA 09 archives list a speech by Jesse Burns, of ISEC Partners, about Android’s security model, while Kevin Mahaffey, John Hering and Anthony Lineberry of Flexillis presented a non device-specific fuzzer for mobile platforms.
But the most impressive work was presented by Charlie Miller and Colin Mulliner; they managed to inject SMS messages past the radio section directly into phone’s processing chain. This technique has been applied to iPhone, Android and Windows Mobile; not having to rely on the network to send messages gets rid of the associated costs, and allows for a fast and thorough test (fuzzing) of SMS processing stack. The results were up to the expectations: actually, both Android and iPhone could be crashed by malformed binary messages, allowing for effective Denial of Service attack, while Windows Mobile is still under scrutiny. The vulnerability on iPhone was also found to potentially allow for remote code execution with full privileges, without any user advice nor any way to stop messages.
While Apple had to quickly release a security update, SMS is confirmed as one of the most investigated attack vectors.
However, other general issues could have a significant impact on mobile security; Moxie Marlinspike’s “More Tricks for Defeating SSL” is an effective attack against (almost any) popular web browsers, but it affects connections from mobile devices as well. As we pointed out, SSL is the last line of defense against the “Hijacking mobile data connection” attack we discovered, so knowing it can be attacked isn’t reassuring at all. We’ve began testing the attack on various mobile platforms, and we will post the result as soon as we can.